[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Windows & .NET Magazine Security UPDATE--June 25, 2003
From: InfoSec News <isn () c4i ! org>
Date: 2003-06-26 8:53:07
[Download RAW message or body]
====================
==== This Issue Sponsored By ====
SPI Dynamics
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3h0Am
J.A. Korsmeyer, Inc.
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3f0Ak
====================
1. In Focus: Legalizing "Hacking Back": A Comedy of Errors
2. Security Risks
- Cross-Site Scripting and Script-Injection Vulnerabilities in IE
3. Announcements
- Attend the Black Hat Briefings & Training, July 28-31 in Las
Vegas
- New Active Directory Web Seminar!
4. Security Roundup
- News: CERT Bulletin Leaked Early--Again
- News: Microsoft Helps Improve Web Application Security
- Feature: 3 Tiers for Your CA Hierarchy
5. Instant Poll
- Results of Previous Poll: Certifications and Hiring
- New Instant Poll: Fighting Software Piracy
6. Security Toolkit
- Virus Center
- FAQ: How Can I Enable Advanced File-System and Sharing Security
for a Windows XP Machine in a Workgroup?
7. Event
- Storage Road Show Event Archived!
8. New and Improved
- Set Up Wireless and Wired Security with One Firewall
- Submit Top Product Ideas
9. Hot Thread
- Windows & .NET Magazine Online Forums
- Featured Thread: Hardening the TCP/IP Stack
10. Contact Us
See this section for a list of ways to contact us.
====================
==== Sponsor: SPI Dynamics ====
ALERT: "How a Hacker Uses SQL Injection to Steal Your Data"
It's as simple as placing additional SQL commands into a Web Form input
box giving hackers complete access to all your backend systems! Firewalls
and IDS will not stop such attacks because SQL Injections are NOT seen as
intruders. Download this *FREE* white paper from SPI Dynamics for a
complete guide to protection!
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3h0Am
====================
==== 1. In Focus: Legalizing "Hacking Back": A Comedy of Errors ====
by Mark Joseph Edwards, News Editor, mark@ntsecurity.net
You might have heard about the comments that US Senator Orrin Hatch of
Utah made about fighting copyright piracy. In brief, Hatch advocates
using Trojan horse technology to destroy the computers of people who
are thought to have pirated copyrighted works more than twice.
Hatch's sentiments echo ideas that those with vested interests in the
entertainment industry have voiced before. He believes that we might
find better ways to stop piracy. However, if stopping piracy takes
destroying computers through Trojan horse code, he's for it. I think
that the vast majority of you will agree that Hatch's ideas go against
the ideals of democratic society.
Such "hacking back," a form of vigilantism, involves several problems.
First of all, catching and punishing criminals is work for law
enforcement and judicial systems, not copyright holders. In addition,
we currently have no way to determine from a remote location who's
actually using a computer or how serial violations might occur.
For example, one person could use a public computer, perhaps at a
library or Internet cafe, to download files. If that person
inadvertently or unknowingly downloads copyrighted data that wasn't
authorized for public distribution, that's one strike against that
computer. A second person might later make the same error. Under the
ideas that Hatch supports, if a third person downloads copyrighted
data not authorized for public use, the injured entity could destroy
that computer with a Trojan horse, which the entity would probably
launch from a remote location. Meanwhile, the library or Internet cafe
would suffer a significant loss for something it did not "do."
The idea makes little sense. I'm sure Hatch meant well in
acknowledging software piracy as a serious problem; however, he
doesn't seem to understand the underlying technical implications of
this form of prevention. People have pointed out that destroying a
computer used to download pirated material is akin to destroying the
engine of a car because police caught the driver speeding in that car
too often. The idea is to produce a financial loss in retaliation for
a financial loss, but it amounts to punishing an inanimate
technological object for the acts of its operators.
The timing of Hatch's statements was rather ironic. According to a
"Wired" report (see the first URL below), at the time the statements
were made, Hatch's Web site was using unlicensed copyrighted
JavaScript code to facilitate its menu system. (A notice posted on
Milonic Solutions' Web site--see the second URL below--states that the
license issue with Hatch's Web site has been resolved.) If Hatch's
ideas became law, the computer running his Web site could have been
destroyed and Hatch, a lawmaker, denied due process. I seriously doubt
that he would have appreciated that.
http://www.wired.com/news/politics/0,1283,59305,00.html
http://www.milonic.co.uk/menu/
According to "Wired," the JavaScript code on Hatch's Web site belongs
to Milonic Solutions, whose menuing-system code was (at the time of
this writing) being used without license across large parts of
Continental Airlines' Web site. Furthermore, according to Milonic
Solutions, someone had stripped all copyright notices from the menuing
code Continental uses. Imagine the impact if a Trojan horse were
legally unleashed to destroy Continental's computers. Make any sense
to you?
Many copyright holders need a way to better control unauthorized
duplication of their works. But using Trojan horses to destroy
computers isn't a good answer. Microsoft's Digital Rights Management
(DRM) technology might help when it comes to certain types of data.
But if someone really wants to pirate copyrighted materials (e.g.,
code, multimedia, documents), current computer technology--including
DRM--simply can't prevent that piracy 100 percent of the time. Quite a
dilemma.
====================
==== Sponsor: J.A. Korsmeyer, Inc. ====
Microsoft recommends Extensible Messaging Platform for Exchange Server
2003 spam protection
"Microsoft is pleased to be working with J.A. Korsmeyer, Inc., to
build exciting new security solutions for Exchange Server 2003," said
Chris Baker, group product manager for Exchange at Microsoft Corp.
"Deploying Exchange Server 2003 with Extensible Messaging Platform
will help e-mail users enjoy an increased sense of security and
freedom from intrusive content while conducting their daily e-mail
tasks. The elimination of objectionable content translates to lower
TCO, decreased liability and increased productivity." Extensible
Messaging Platform also supports Exchange Server 5.5 and 2000.
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3f0Ak
====================
==== 2. Security Risks ====
contributed by Ken Pfeil, ken@winnetmag.com
Cross-Site Scripting and Script-Injection Vulnerabilities in IE
Two new vulnerabilities in Microsoft Internet Explorer (IE) can
result in the execution of arbitrary code on the vulnerable system.
The cross-site scripting vulnerability results from IE not filtering a
displayed URL properly and might cause the browser to render HTML
passed in the querystring of the URL. The script-injection
vulnerability results from a flaw in a common function that internal
resources use. An attacker can exploit this flaw to execute script
commands in the My Computer zone. Microsoft was notified on February
20, 2003, but hasn't yet released a fix for these problems.
http://www.secadministrator.com/articles/index.cfm?articleid=39344
==== 3. Announcements ====
(from Windows & .NET Magazine and its partners)
Attend the Black Hat Briefings & Training, July 28-31 in Las Vegas
This is the world's premier technical IT security event, with lots
of Windows sessions! 10 tracks, 15 training sessions, 1800 delegates
from 30 nations including all of the top experts from CSOs to
"underground" security specialists. See for yourself what the buzz is
all about! Early-bird registration ends July 3. This event will sell
out.
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0pHV0AW
New Active Directory Web Seminar!
Discover how to securely managing Active Directory (AD) in a
multiforest environment, establish attribute-level auditing without
affecting AD performance, enhance secure permission management with
"Roles," and more! There's no charge for this event but space is
limited--register today!
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BAyl0A1
==== 4. Security Roundup ====
News: CERT Bulletin Leaked Early--Again
An anonymous person has again posted vulnerability information
gleaned from CERT.
http://www.secadministrator.com/articles/index.cfm?articleid=39320
News: Microsoft Helps Improve Web Application Security
Microsoft announced the release of a new guide, "Improving Web
Application Security: Threats and Countermeasures," designed to help
developers create intrusion-resistant applications.
http://www.secadministrator.com/articles/index.cfm?articleid=39321
Feature: 3 Tiers for Your CA Hierarchy
Joseph Neubauer explains why setting up a three-tiered Certificate
Authority (CA) hierarchy is usually a better approach than using a
one- or two-level CA. Check the article out on our Web site!
http://www.secadministrator.com/articles/index.cfm?articleid=39244
==== Hot Release ====
St Bernard Software
Network Protection Kit For IT Professionals
Make your network more secure than ever before, and download St. Bernard
Software's FREE Network Protection Kit! It was designed to show you how
to handle security patch management, enforce Web usage policies, prevent
data loss during backup due to open files. . . And that's just for starters!
IT pros like you will get the latest information on hot-button technology
issues including patch management! Get information-packed White Papers,
real-life success stories and complete product information.
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA3g0Al
====================
==== 5. Instant Poll ====
Results of Previous Poll: Certifications and Hiring
The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Does your company hire IT administrators based on certifications?"
Here are the results from the 164 votes.
- 2% We hire based largely on certifications
- 18% We hire based on certifications and experience
- 51% We consider certifications secondary to work experience
- 29% We hire based only on proven experience
New Instant Poll: Fighting Software Piracy
The next Instant Poll question is, "Do you think legalizing the
destruction of software pirates' computers is a reasonable course of
action?" Go to the Security Administrator Channel home page and submit
your vote for a) Yes or b) No.
http://www.secadministrator.com
==== 6. Security Toolkit ====
Virus Center
Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda
FAQ: How Can I Enable Advanced File-System and Sharing Security for a
Windows XP Machine in a Workgroup?
(contributed by John Savill, http://www.windows2000faq.com)
A. When an XP machine belongs to a domain with shared resources, a
Security tab appears on the Properties dialog box for the file,
folder, or share. You can use this tab to assign advanced sharing
permissions. However, this tab is missing for XP machines that belong
to a workgroup.
A new feature in XP effectively logs all remote logons in a workgroup
as Guest, regardless of the account and password credentials that the
remote computer passes. (This approach avoids the need for different
machines in a workgroup to replicate local accounts, which is the
method Windows 2000 uses to enable transparent sharing.) XP locks down
the Everyone group (to which Guest belongs) permissions, which cuts
down on the security problems that an enabled Guest account in Win2K
caused. Because all machines in a workgroup are effectively Guest
connections, the advanced security features aren't very useful, which
is why Microsoft disabled them in XP.
If you want to enable advanced file-system and sharing security, you
must disable the ForceGuest registry setting by performing the
following steps:
1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry
subkey.
3. Double-click forceguest, set it to 0, then click OK.
4. Restart the computer for the change to take effect.
If you disable the Guest account but enable the ForceGuest setting,
remote connections will fail, regardless of the username and password
the user passes in--even if these credentials are valid.
==== 7. Event ====
Storage Road Show Event Archived!
Couldn't make the HP & Microsoft Network Storage Solutions Road
Show? View the taped event archives from your Web browser!
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw07cD0Ai
==== 8. New and Improved ====
by Sue Cooper, products@winnetmag.com
Set Up Wireless and Wired Security with One Firewall
WatchGuard Technologies announced the Firebox SOHO 6 Wireless, a
line of firewall/VPN appliances that provide wireless and wired
security for small businesses, remote offices, and telecommuters.
Features include an integrated 802.11b Wireless Access Point (WAP),
four-port LAN 10/100 switch, remote management from a central
location, dynamic DNS (DDNS) support, desktop antivirus, meshed VPN
topology, and an intuitive Web-based UI for configuration. Users are
required to set up security on the Firebox SOHO 6 Wireless before
enabling the wireless connection in order to ensure the network is
protected from the outset. Each of the three Firebox SOHO 6 Wireless
family models includes a 90-day renewable subscription to WatchGuard's
LiveSecurity Service, for systematic updates and security
intelligence. Contact WatchGuard Technologies at 206-521-8340 or
information@watchguard.com.
http://www.watchguard.com
Submit Top Product Ideas
Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot@winnetmag.com.
==== 9. Hot Thread ====
Windows & .NET Magazine Online Forums
http://www.winnetmag.com/forums
Featured Thread: Hardening the TCP/IP Stack
(Five messages in this thread)
A user writes that his company has several security measures in place
through Group Policy, as well as certain ACL adjustments that include
the registry on his servers. His servers are also protected by a
firewall. In the past, he's hardened the stack for servers sitting in
the demilitarized zone (DMZ) that have direct connections to the
Internet, but not for member servers. He wants to know whether it's a
good idea for him to also harden his member servers' TCP/IP stacks.
Lend a hand or read the responses:
http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=59755
==== Sponsored Links ====
FaxBack
Integrate FAX into Exchange/Outlook (Whitepaper, ROI, Trial)
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BAoJ0AI
AutoProf
Jerry Honeycutt Desktop Deployment Whitepaper
http://list.winnetmag.com/cgi-bin3/DM/y/eRWs0CJgSH0CBw0BA1Z0AW
===================
==== 10. Contact Us ====
About the newsletter -- letters@winnetmag.com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products@winnetmag.com
About your subscription -- securityupdate@winnetmag.com
About sponsoring Security UPDATE -- emedia_opps@winnetmag.com
====================
This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing Windows and related technologies. Subscribe
today.
http://www.secadministrator.com/sub.cfm?code=saei25xxup
Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo@attrition.org with 'unsubscribe isn'
in the BODY of the mail.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic